FS#74835 - [iptables-nft] after upgrade to v1.8.8, docker is failing to start

Attached to Project: Arch Linux
Opened by Daniel (8472) - Monday, 23 May 2022, 15:37 GMT
Last edited by Toolybird (Toolybird) - Sunday, 31 July 2022, 00:08 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
After upgrade of iptables-nft to v1.8.8 and restarting OS/docker.service, the docker will fail to start.


Additional info:
* package version(s):
- iptables-nft 1:1.8.8-1
- kernel: 5.15.41-1-lts
- OS fully updated
- nftables enabled (if I do "nft flush ruleset", then the docker.service starts even with this reported v1.8.8)
- no problem otherwise with docker.service or nftables if iptables-nft is of previous v1.8.7


Steps to reproduce:
- upgrade iptables-nft to latest 1.8.8-1
- restart docker.service - will fail, with errors in dockerd logs (full log attached), events like:
-- "Error initializing network controller"
-- "Error creating default "bridge" network"
-- "Failed to Setup IP tables: Unable to allow intercontainer communication"
-- "iptables failed: iptables -I FORWARD -i docker0 -o docker0 -j ACCEPT: iptables v1.8.8 (nf_tables): CHAIN_ADD failed (File exists): chain FORWARD"
-- "could not create bridge network for id"

Workaround:
- downgrade iptables-nft to previous, e.g. 1.8.7-1
- restart docker.service
   20220522-iptables-nft_docker-... (3.9 KiB)
   20220522-iptables-nft_docker-... (66.8 KiB)
This task depends upon

Closed by  Toolybird (Toolybird)
Sunday, 31 July 2022, 00:08 GMT
Reason for closing:  Works for me
Comment by Toolybird (Toolybird) - Friday, 29 July 2022, 02:28 GMT
Is this still happening even with latest docker 1:20.10.17-1? Have you reported upstream? Not seeing other reports so it might be specific to your setup. Tried a non-lts kernel? Please let us know.
Comment by Daniel (8472) - Saturday, 30 July 2022, 11:14 GMT
Yes, it's happening also with latest docker.
No, have not reported it upstream.
Tried non-LTS, it's the same.

You're probably right, it looks like specific setup problem.
Until now I used following workaround "mark set 1" https://wiki.archlinux.org/index.php?title=Nftables&oldid=636859#Working_with_Docker (article history).
This worked fine with iptables-nft v1.8.7.
As of iptables-nft v1.8.8 something must've changed.
When I tested through my nftables rules, I managed to trace the problem to "table ip filter" => "chain FORWARD".
Disabling single or all chain's internal rules doesn't help, but disabling the whole "chain FORWARD" helped and started the docker properly.

"Newer" nftables article workaround https://wiki.archlinux.org/title/Nftables#Working_with_Docker could be also be a solution.
It seems to work, but, I need the docker container to reach LAN resources.
LAN = "192.168.*".
Article's workaround IP addresses are "10.0.0.*".
In this constellation, I cannot reach LAN "192.168.*" resources from the "10.0.0.*" namespace's container.
Have tried using my own IP addresses for the namespace, but no success.
However, I'm not skilled with the "ip namespace", so I have to find how it works, or disable the "chain FORWARD".

I guess you can close this, and thank you anyway.
Comment by Toolybird (Toolybird) - Sunday, 31 July 2022, 00:08 GMT
Ok, it's apparent the docker/nftables combo it still maturing. It sounds like you're close to a solution. Thanks for getting back to us.

Loading...